IDGNet Virus & Security Watch Friday 9 August 2002

This issue's topics: Introduction: * MCMS, Google Toolbar, XDR library updates, Goner writers in court Virus News: * Goner writers in court... Security News: * Critical fixes for Microsoft Content Management Server 2001 * Google Toolbar update fixes multiple security flaws * 'New' Win32 security attack against Windows message infrastructure * Internet Explorer 6.0 service pack 1 release imminent * Remote code execution exploit in Eudora * SHOUTcast admin password logged to world-readable file * Critical XDR library flaws affect multiple platforms & devices * Weak file permissions in Linux-iSCSI package on some distributions * US Department of Defense not convinced of wireless device securability

This issue's topics:

Introduction:

* MCMS, Google Toolbar, XDR library updates, Goner writers in court

Virus News:

* Goner writers in court...

Security News:

* Critical fixes for Microsoft Content Management Server 2001

* Google Toolbar update fixes multiple security flaws

* 'New' Win32 security attack against Windows message infrastructure

* Internet Explorer 6.0 service pack 1 release imminent

* Remote code execution exploit in Eudora

* SHOUTcast admin password logged to world-readable file

* Critical XDR library flaws affect multiple platforms & devices

* Weak file permissions in Linux-iSCSI package on some distributions

* US Department of Defense not convinced of wireless device securability

Introduction:

The Northern hemisphere summer seems to be keeping the virus front fairly quiet still. However, there was an encouraging report from Israel about the charges facing the teenagers that wrote and initially distributed the Goner virus.

On the security front, there is a critical Microsoft Content Management Server update and SP1 for IE 6.0 seems due very soon, given it was spotted prematurely on a Microsoft web site, downloaded and tested by a couple of security researchers who reported some of their findings to the NTBugtraq mailing list. Keep your eyes open for this service pack - it may well officially ship in the next few hours or on Friday (relative to the US West Coast...).

Aside from the critical and widespread XDR library problems (partly) listed in the latest CERT/CC advisory, the rest of the newsletter is rounded out with several smaller vulnerabilities or talking points of much interest during the last week.

Virus News:

* Goner writers in court...

Five Israeli teenagers who were under investigation for the writing and distribution of the Goner virus are now facing charges in relation to the incident. According to the newspaper Ha'aretz, one of the minors is being charged with writing the virus and the others with distributing it. In further reporting of this story, the UK online IT news source The Register claims the five could face between three and five years jail.

Five minors charged with spreading world-wide computer virus - haaretzdaily.com

Israeli teenagers charged with Goner virus outbreak - theregister.co.uk

Security News:

* Critical fixes for Microsoft Content Management Server 2001

Microsoft has released a patch that fixes several vulnerabilities in Microsoft Content Management Server (MCMS) 2001, which is part of the .Net Enterprise Server product range. One of these vulnerabilities - a buffer overflow - could possibly allow remotely specified code to run under the local system security context and is thus rated as being of critical severity. The other two vulnerabilities - SQL injection and code upload flaws - are both rated as moderate severity. Administrators of systems running MCMS 2001 should obtain and install the patched linked from the security bulletin as soon as practicable.

Microsoft Security Bulletin MS02-041

* Google Toolbar update fixes multiple security flaws

Security researchers at GreyMagic Software have released details of, and sample exploits for, multiple security flaws in the Google Toolbar add-in for Internet Explorer. In brief, these flaws mainly hinge on cross site scripting and security zone weaknesses in the implementation of core Google Toolbar functionality and allow remote reading of files local to the web browser and execution of arbitrary local programs. Version 1.1.58 and earlier of the Google Toolbar are said to be vulnerable. Google released fixed versions of the toolbar a couple of days ago and the software's automatic update functionality should have seen active users of the toolbar obtain and install these updates by now.

Administrators of machines using the Google Toolbar can check the installed version by clicking the Google icon on the toolbar then selecting 'About Google Toolbar...'. If making this check, note that should an instance of IE have been left running, the toolbar version reported will be the version that loaded when IE started even if a newer version of the toolbar has been downloaded and will be loaded when IE is next initialized. The Google Toolbar add-in runs its auto-update checks when the toolbar DLL is loaded by IE without warning the user that either the check is being made or an update is available. If a toolbar update is available when the toolbar loads, it is downloaded and configured for use when IE next initializes.

There is no apparent mention of these issues anywhere on Google's web site.

Exploiting the Google toolbar - greymagic.com

* 'New' Win32 security attack against Windows message infrastructure

A message posted to several security-oriented mailing lists this week has caused something of a stir. Chris Paget claimed to have discovered a whole new class of security vulnerability, but most commentators disagree. Respondents to his paper have generally pointed out that Paget's 'attack' is really an attack against design shortcoming in (mostly third-party/non-Microsoft) software, rather than a fundamentally non-securable design flaw in Windows, as Paget suggested. Further, several people have pointed out that previous discussions of the basic issues underlying the possibility of Paget's exploit date back several years, so it is hardly 'new' either.

Regardless of these criticisms however, Paget does highlight an interesting class of attacks that is possible in many cases because too many services do install with the ability to interact with the standard user desktop. Two discussion threads on two mailing lists are linked below for those wishing to read the full range of opinions on this.

White paper: Exploiting the Win32 API - Bugtraq thread

White paper: Exploiting the Win32 API - NTBugtraq thread

* Internet Explorer 6.0 service pack 1 release imminent

A couple of messages were posted to the NTBugtraq mailing list within the last 24 hours describing some of the new features in IE6SP1. The service pack has not been officially released yet, but it seems some early birds noticed a copy at Windows Update (these seem to have been withdrawn again). For those interested in the details, we have linked to the archived articles.

Internet Explorer 6 SP1 security changes - ntbugtraq.com

IE6 SP1 highlights - ntbugtraq.com

* Remote code execution exploit in Eudora

Japanese security researchers SecureNet Service (SNS) report the popular e-mail client, Eudora v5.1.1, is vulnerable to an exploitable remote buffer overflow vulnerability. Qualcomm, the software's developer, is reported to have said the flaw will be fixed in the next update to the Windows version of the product. It is not entirely clear whether the bug affects earlier versions than 5.1.1 or 5.0-J (the current English and Japanese releases of the product, or any versions for MacOS or PalmOS.

The discoverer of the vulnerability has published some technical details of the vulnerability (which depends on overflowing a buffer used in handling MIME message component separator strings). Although not released by SNS, a demonstration exploit has also been published. As this information is now publicly available and a patched version of the product is not, sites that use Eudora and have the ability to filter messages by content may be able to set up a protective filter to 'fix', quarantine, or reject messages that could cause problems for the product. SNS reports that MIME boundary headers of 139 or more bytes are problematic and should be filtered.

SNS Advisory No.55: Eudora 5.x for Windows Buffer Overflow Vulnerability

* SHOUTcast admin password logged to world-readable file

Researchers at Fate Research Laboratories have discovered that SHOUTcast servers can be trivially made to log the administrator password _in cleartext_ to a world-readable file on the server. Anyone with a local user account can then retrieve the log file. This would be especially problematic in shared hosting environments. According to the Fate Labs security advisory, SHOUTcast developers Nullsoft do not consider this a problem, so Fate Labs decided to go public with the details. A simple workaround of changing the permissions on the log file to something more appropriate is discussed in the advisory. Any administrators of SHOUTcast servers should read the advisory and carefully consider their options.

Retrieving the SHOUTcast Admin Password through GET / - fatelabs.com

* Critical XDR library flaws affect multiple platforms & devices

An integer overflow error in Sun's XDR Library code has been discovered. As this code has been widely copied as part of the most popular reference implementations of the remote procedure call (RPC) protocol, and is in a component core to ensuring the reliable cross-platform transmission of data via RPC, the bug is present in may system libraries, applications and embedded devices. Because of the wide range of products possibly affected by this flaw, the CERT Coordination Center Advisory, linked below, is probably the best place for system administrators to start the search for systems needing patching or upgrades.

Code known to be affected includes, but is far from limited to the Sun Microsystems network services library (libnsl), BSD-derived libraries with XDR/RPC routines (libc), and GNU C library with sunrpc (glibc, commonly used in modern Linuxes). Expect the vendors of all these products (and many already listed in, or yet to be added to, the CERT/CC advisory) to be posting updates.

CERT Advisory CA-2002-25 Integer Overflow In XDR Library

* Weak file permissions in Linux-iSCSI package on some distributions

iSCSI is an increasingly popular protocol allowing implementation of the SCSI protocol over existing IP network infrastructures. Simple storage area networks (SANs) can thus be implemented without the need for a further, SAN-specific network (assuming bandwidth issues are not a limiting factor). Although the default configuration of the reference iSCSI implementation for Linux, Linux-iSCSI from Cisco and SourceForge, has appropriate file permissions on its configuration file, some third-party distributions of Linux-iSCSI set looser permissions. As the primary iSCSI authentication mechanism is CHAP, Linux-iSCSI stores the user's password in cleartext in its configuration file, /etc/iscsi.conf.

The Cisco/SourceForge installation script for Linux-iSCSI sets mode 0600 (read/write only to the owner) with root as the owner. If you use Linux-iSCSI from any other distribution, it would be advisable to check the permissions on your iscsi.conf file; for example, it has been reported that the Red Hat installation sets iscsi.conf world read/write.

Cisco iSCSI Drivers - cisco.com

Project: linux-iscsi - sourceforge.net

* US Department of Defense not convinced of wireless device securability

Further to the ongoing saga of Wireless LAN (WLAN, 802.11b, etc) security flaws, the US Department of Defense (DoD) is set to ban most or all 'consumer grade' wireless devices from use in military installations. This will extend well beyond WLAN equipment to include consumer cell phones and even pagers. The new policy is an extension of existing guidelines that prohibit non-secured cell phones and some other wireless devices in areas where classified information may be discussed, pushing the boundaries for such devices well beyond areas where sensitive information may be accessible.

Pentagon to issue wireless disconnect order - computerworld.com

DOD focused on wireless security - Federal Computer Week

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaCiscoGoner virusGoogleLANLinuxMicrosoftNullsoftQualcommRed HatSecureNetSun MicrosystemsWest

Show Comments

Market Place

[]